|
Please see the FAQ item "Are
there any tools available for debugging Winsock programs?" for more
information on sniffers and shims.
Ratings: Packages are rated on a simple 5-point system. Features
and usablility are rated on the following scale:
 |
5 points |
This is a wonderful product and you should waste no time getting it, if price permits. |
| |
4 points |
Nearly perfect. Its features are competitive with others in its price class. |
| |
3 points |
Adequate. This product may be mildly buggy, but it's tolerable. It does what the manual says it will, and it's reasonably usable. |
| |
2 points |
Yick! This product is buggy, weak, and/or hard to use. Use only if there's no other choice. |
| |
1 points |
This product is unusable. Stay away. |
I've ranked these products from a network developer's perspective.
Many of these products are actually targetted towards network
administrators, so their focus is a bit off of what the developer needs.
So, "alert via pager" features won't help a product's ratings, but
available source code and a protocol dissector API will.
Price also matters. A program with features comparable to higher-priced
programs gets one extra point. So, a cheap program given 3 points on its
own merits would get an extra point if its features were comparable to
a more expensive product.
Ratings do no take the platform into account. I do not know what
systems you are comfortable with, or what you have available to you for
debugging machines. So, I leave it to you to weight my ratings against
your platform preferences. (Any apparent bias against the Unix and DOS
text UI programs is due to inherent usability issues.)
If the "Date tried" field is "Long, long ago", the review may well
be sadly outdated. I don't have any information on when I last tried
the product in question. One DayTM
I'll get back to it.
Network Sniffers:
| Package: |
Sniffer Basic |
| Vendor: |
Network Associates, Inc. |
| Platform(s): |
Win32 |
| User interface: |
GUI |
| Price: |
$1000 |
| Licensing: |
Commercial |
| Commentary: |
Sniffer Basic (neé NetXRay) is a fine commercial sniffer for
Windows 95/98 and Windows NT/2000. It is very configurable, allows you to
write protocol decoder plugins for custom protocols, and has a very nice
user interface. Like all analyzers of its class, it can also generate
real-time traffic statistics, with alarms and such. If I had the cash,
this is the product that I'd buy.
|
| Date tried: |
Long, long ago |
| Version evaluated: |
unknown |
| Rating: |
 |
| Package: |
EtherPeek |
| Vendor: |
The AG Group |
| Platform(s): |
Win32, Macintosh |
| User interface: |
GUI |
| Price: |
$900 |
| Licensing: |
Commercial |
| Commentary: |
EtherPeek is similar in functionality to Sniffer Basic, though having
played with their demo some, I found that I liked Sniffer Basic
better. Still, it is a bit cheaper, support is not an extra like it is
with Sniffer, and it runs on more platforms.
|
| Date tried: |
Long, long ago |
| Version evaluated: |
unknown |
| Rating: |
 |
| Package: |
Observer |
| Vendor: |
Network Instruments |
| Platform(s): |
Win32 |
| User interface: |
GUI |
| Price: |
$1000 |
| Licensing: |
Commercial |
| Commentary: |
Observer is one of the "big boys" of network monitoring tools. However,
between my initial passing review and a few reviews I've read in
magazines, this package does not look as though it will dethrone the
more popular packages any time soon.
|
| Date tried: |
Long, long ago |
| Version evaluated: |
unknown |
| Rating: |
 |
| Package: |
NetBoy Suite |
| Vendor: |
NDG Software |
| Platform(s): |
Win32 |
| User interface: |
GUI |
| Price: |
$1300 |
| Licensing: |
Commercial |
| Commentary: |
A few years ago when I tried PacketBoy 1.0 the sniffer component of
the suiteit was essentially unusable. I've tried it twice since
then (versions 1.44 and 1.5) and although it is now usable, it still
has some bugs that should have been eradicated by now. (I crashed 1.5
hard after just five minutes of playing with it!) Be sure to download
a demo copy before you commit to buying it!
This package gets another ding due to price. You used to be able to get
just the packet sniffer for about $400, but now you must get the whole
suite, making it more expensive than the big boys above. Unless you just
gotta have their pretty network graphing modules, give this one a miss.
You can get a better sniffer for free these days.
|
| Date tried: |
4/23/2000 |
| Version evaluated: |
1.5 |
| Rating: |
 |
| Package: |
NtSniff |
| Author: |
Davide Libenzi |
| Platform(s): |
Windows NT 4.0 |
| User interface: |
Console |
| Price: |
Free |
| Licensing: |
GPL |
| Commentary: |
This appears to be a very simple packet sniffer, on the model of
tcpdump: run it from the command line and get text output for each
packet received. Unlike tcpdump, it does not have a rich packet matching
language: it simply accepts a few command line switches telling it what
ports and IP addresses to watch for.
Based on a cursory examination of the package (i.e. unzipping it and
looking at the docs and source code (!) a bit), it appears mainly useful
as a start at making a more functional sniffer. Beware that it's all
under the GPL license, which means you must give away your program's
source code if you include any code from this package.
|
| Date tried: |
Never |
| Version evaluated: |
1.5 |
| Package: |
Network Spy |
| Vendor: |
Code Maniac |
| Platform(s): |
Win32 |
| User interface: |
GUI |
| Price: |
$149 |
| Licensing: |
Shareware |
| Commentary: |
This is a basic GUI sniffer roughly on par with NetSniffer, based on my reading of the web page.
The shareware version will capture for 30 seconds at a time, and must
be restarted after each capture session.
The package does have a few distinguishing features. There is a network
load graph tool, something that usually only appears on higher-end
packages aimed at network administrators. Another nice touch is that the
author gives you a copy of his Internet Maniac utility package (ping,
traceroute, port scan, etc.) when you register the sniffer.
|
| Date tried: |
Never |
| Version evaluated: |
1.6 |
| Package: |
Windows 95/98 TCP/UDP Capture Program |
| Author: |
nethibeault@worldnet.att.net |
| Platform(s): |
Win9x |
| User interface: |
GUI |
| Price: |
$35 |
| Licensing: |
Shareware |
| Commentary: |
This package is about as exciting as its name indicates. I hate to be
harsh, but I can find no reason to recommend it above any of the other
offerings on this page: there are better free offerings, and there are
packages that are price-competitive with it that are more functional.
|
| Date tried: |
Never |
| Version evaluated: |
3.5 |
| Package: |
The Gobbler |
| Author: |
Tirza van Rijn, University of Delft, The Netherlands |
| Platform(s): |
DOS |
| User interface: |
Text graphics |
| Licensing: |
Freeware |
| Commentary: |
The Gobbler is perhaps the best freeware DOS Ethernet sniffer. It has
a few quirks, but it's fairly featureful. It can decode the Ethernet,
IP, TCP and UDP layers, as well as a few low-level protocols like ARP
and ICMP. The interface is notable because it's surprisingly easy to
quickly browse a dump looking for interesting packetsmany
other sniffers's interfaces make it harder to maneuver, so you spend
more time fighting the tool than thinking about the data. The source code
is available, so in theory you could extend it to your own needs, though I
don't know if this is easy to do.
If you can't afford a commercial sniffer and have a DOS box you can
dedicate to sniffing, this is the one I'd recommend you get.
|
| Date tried: |
"Long, long ago" |
| Version evaluated: |
2.1 |
| Rating: |
|
| Package: |
Snooper |
| Vendor: |
Crynwr |
| Platform(s): |
DOS and Linux |
| User interface: |
Text graphics |
| Price: |
$350 |
| Licensing: |
Commercial |
| Commentary: |
Of the "payware" DOS sniffers, this one is the best, because it has a
clean interface that makes it easy to quickly read a packet dump. The
other commercial DOS sniffers require significantly more futzing around:
move to next packet, re-adjust window to see the part of the packet you
want, move to next packet....
Snooper gets additional points because it comes with source code. Crynwr
actively hypes the source code as a way to add custom protocol decoders,
so it should be straightforward.
Crynwr also offers a similar product called EtherProbe, but it is more
oriented towards network management and costs more than Snooper: $995
without source, $1495 with source.
The demo version is limited to five seconds of continuous packet capturing
which makes it a bit hard to evaluate.
|
| Date tried: |
Long, long ago |
| Version evaluated: |
unknown |
| Rating: |
|
| Package: |
PacketView |
| Vendor: |
Klos Technologies |
| Platform(s): |
DOS |
| User interface: |
Text graphics |
| Price: |
$300 |
| Licensing: |
Commercial |
| Commentary: |
PacketView is similar to Snooper, but it does
not come with source code. Also, its interface and online help seem
to be trapped in 1988. However, it is easier to evaluate than Snooper,
as the demo will capture up to 64K of network data with the exception
that every eighth packet is intentionally overwritten with garbage.
|
| Date tried: |
Long, long ago |
| Version evaluated: |
unknown |
| Rating: |
|
| Package: |
MONET LAN Analyzer |
| Vendor: |
MG-SOFT |
| Platform(s): |
DOS |
| User interface: |
Text graphics |
| Price: |
$90-120, depending on the version |
| Licensing: |
Commercial |
| Commentary: |
MONET comes in three versions, a $90 LITE version which is
suitable for network developers and a $120 version aimed at network
administrators.
The demo version of the LITE package is almost fully functional, but it
does not appear able to save data to disk. The full version also has
a demo version, but it can only work with the canned data that comes
with it.
The LITE package appears to be fairly featureful, though its relatively
modern interface (think Borland C++ 3.1) is nevertheless somewhat
clumsy. That pales in importance, however, in comparison to the product's
stability, or lack thereof. I was able to easily lock the LITE demo
up twice, and when I tried throwing a 58MB file transfer at it, the
program crashed badly enough to cause the machine to reboot before I
could walk back into the other room to see how MONET was handling the
data! This could be because I was running it on an old 286, but Gobbler,
Snooper and PacketView all ran without a hiccup on this machine under
similar conditions.
My advice: if you're really so strapped for cash that you can't afford
one of the other two DOS payware offerings, you should save your nickles
and go with Gobbler, or put Linux on that DOS box and load one of the
many free Unix/Linux sniffers.
|
| Date tried: |
Long, long ago |
| Version evaluated: |
unknown |
| Rating: |
 |
| Package: |
tcpdump |
| Author: |
Network Research Group, Lawrence Berkeley National Laboratory |
| Platform(s): |
Unix |
| User interface: |
Text |
| Licensing: |
BSD |
| Commentary: |
tcpdump does TCP-level decoding and precious little more. It is
optimized for showing only "header-level" information like the TCP
flags and such. Getting frame information out of TCP dump is not
worth the effort. (See Ethereal below below
for a better way.) tcpdump is good for ad-hoc debugging, especially if
you've got easy access to a Unix box on the LAN. tcpdump depends on libpcap.
|
| Date tried: |
April 10, 2000 |
| Version evaluated: |
3.4 |
| Rating: |
|
| Package: |
Analyzer, WinDump and WinPCap |
| Author: |
Piero Viano, Paolo Politano and Loris Degioanni |
| Platform(s): |
Win32 |
| User interface: |
GUI and text interfaces |
| Licensing: |
Freeware |
| Commentary: |
Analyzer is a GUI built on top of WinPCap,
a port of libpcap to Windows. They have also ported tcpdump to Windows, calling it WinDump.
The GUI is top-flight, both from a usability and a features
standpoint. The only thing really lacking is that the documentation
is still in Italian. The menu items and dialogs are translated into
English, however.
Source code is apparently only available for WinDump and WinPCap. See Ethereal, below, for a WinPCap-compatible sniffer
whose code is available.
WinPCap is a reasonable way to get low-level network access in your own
programs, especially if you don't want to spend any money. Buying one
of PCAUSA's kits is probably a better
choice if your time isn't free, though.
|
| Date tried: |
4/10/2000 |
| Version evaluated: |
2.02 |
| Rating: |
|
| Package: |
Ethereal |
| Author: |
Many people! |
| Platform(s): |
Unix, Win32 |
| User interface: |
GUI |
| Licensing: |
GPL |
| Commentary: |
Ethereal is the tcpdump GUI that we all knew the
Open Source community could develop. (There's also a command-line sniffer
called Tethereal which works much like tcpdump, but it works more like
the main GUI program.) It has all the base features you'd expect in a
sniffer. Although it lacks some of the network management features of
the expensive Windows sniffers, it is strong in other ways. For example,
following TCP conversations, rather than simply examining packet dumps,
was given a lot of attention.
Ethereal understands a great many protocols, allows for user-written
protocol dissectors, can read capture files written by many other
sniffer programs, and comes with source code. It's also portable to
virtually all Unixen and to Windows. The latter is not an afterthought:
Windows binaries are built for every release, soon after the initial
source code release.
A truly killer feature is that you can use it to remotely debug network
problems: you can dial or telnet into to any random Unix box at a remote
customer site, upload a copy of Tethereal or tcpdump, capture some network
traffic to a file, then download it and look at it with Ethereal. I've
used this feature a time or two, and it sure beats a $600 round-trip
plane ticket to the customer's site!
|
| Date tried: |
March 2001 |
| Version evaluated: |
0.8.15 |
| Rating: |
|
| Package: |
FreeCap |
| Author: |
arton@geocities.co.jp |
| Platform(s): |
Windows NT 4.0 |
| User interface: |
GUI |
| Licensing: |
GPL |
| Commentary: |
FreeCap is the same sort of thing as Analyzer,
above: a free network driver and packet capture GUI.
It was a good idea when it came out, but Analyzer's done the same
thing, better: the GUI is far nicer, and its network driver offers
the standard libpcap programming interface. Granted, Analyzer doesn't
include source for its GUI, but if you need that, you can get Ethereal which also works with the WinDump driver.
|
| Date tried: |
Long, long ago |
| Version evaluated: |
unknown |
| Rating: |
|
| Package: |
Sniffit |
| Author: |
Brecht Claerhout |
| Platform(s): |
Unix |
| User interface: |
Text |
| Licensing: |
Freeware |
| Commentary: |
Sniffit is a Unix packet sniffer similar to tcpdump. Sniffit differs in
that it only dumps the data inside the TCP frames. It dumps this data to
files, two per logical connection, one for each direction. Each file is
just a raw data dump: there is no timing or sequencing information in
the files. This makes Sniffit mainly useful for verifying that your
program is sending the intended data, and that the remote machine is
replying correctly.
|
| Date tried: |
Long, long ago |
| Version evaluated: |
0.3.5 |
| Rating: |
|
| Package: |
SPY |
| Author: |
Christian Lorenz |
| Platform(s): |
Unix |
| User interface: |
GUI |
| Price: |
Free for noncommercial usage, approx. $430 for single license |
| Licensing: |
Quasi-commercial |
| Date tried: |
Never |
| Version evaluated: |
3.1.22 |
Winsock Shims:
| Package: |
TracePlus/Winsock |
| Vendor: |
Systems Software Technology, Inc. |
| Platform(s): |
Win16, Win32 |
| User interface: |
GUI |
| Price: |
$150 for Win32 only, $210 for Win16 and Win32 |
| Licensing: |
Commercial |
| Commentary: |
TracePlus/Winsock is a Winsock shim for all combinations of Win32, Win16,
Winsock 1.1 and Winsock 2. This appears to be the most powerful product
of its kind, and seems like a good value as well. It is reportedly more
powerful than a simple Winsock DLL replacement because it uses proprietary
technology to hook into the existing DLL, allowing it to monitor a
greater variety of network activities than a simple DLL replacement can.
|
| Version evaluated: |
3.1.22 |
| Package: |
SocktSpy |
| Vendor: |
WinTECH |
| Platform(s): |
Win32 and Win16 |
| User interface: |
GUI |
| Price: |
$60 |
| Licensing: |
Commercial |
| Commentary: |
SocketSpy is similar to TracePlus/Winsock, though it is cheaper and
the license price gets you both the 16 and 32-bit versions. SocketSpy
appears to work in much the same way as TracePlus, but since I haven't
reviewed either product myself, I can't recommend one over the other.
|
| Version evaluated: |
3.1.22 |
Miscellaneous Debugging Tools:
| Package: |
Atelier Web Security Port Scanner |
| Author: |
José Páscoa |
| Platform(s): |
Win32 |
| User interface: |
GUI |
| Price: |
$30 |
| Licensing: |
Shareware |
| Commentary: |
This package started off as a port scanner, something it does well.
One thing I particularly like about the port scanning feature is the IANA
Ports Database, which tells what purpose the port is registered for,
who registered it, and what other uses it's known to have. That alone
is a useful enough thing for a network programmer to have.
The tool is on this page for a different reason, though: it's the best
"what program is listening on this port?" program I've used. It has a
much nicer interface than Inzider, and it found
programs that Inzider didn't. That alone justifies the price difference;
getting a port scanner and ports database for the price makes it an
unbeatable value. (Until Inzider gets improved, that is. :) )
|
| Date tried: |
7/1/2000 |
| Version evaluated: |
3.02 |
| Rating: |
|
| Package: |
Experience Vision |
| Vendor: |
Foundstone |
| Platform(s): |
Windows NT 4.0+ (i.e. not for Win9x kernels) |
| User interface: |
GUI |
| Price: |
$100 |
| Licensing: |
Commercial |
| Commentary: |
Like Inzider and AWSPS, this program lists the ports open on your machine
and tells you which program has each open. This program can also kill
programs by port number.
|
| Date tried: |
Never |
| Version evaluated: |
1.0 |
| Package: |
Inzider |
| Author: |
Arne Vidstrom |
| Platform(s): |
Win32 |
| User interface: |
Sorta GUI (an edit control, basically :) ) |
| Licensing: |
Freeware |
| Commentary: |
This tool uses some low-level trickery to find out what processes own
particular open sockets. You can use this for debugging, or to find out
what program owns a socket you see with netstat. Because Windows has no
legitimate way to get this information, Inzider does not do a perfect
job, but since it's better than nothing, I still think this tool is worth
looking at. Look at AW Security Port Scanner for
a program that does a better job, if you don't mind spending a little
green to get it.
|
| Date tried: |
6/28/2000 |
| Version evaluated: |
1.2 |
| Rating: |
|
|
